22.08.100.0

Need help?

Schedule a consultation with an Azul performance expert.

22.08.100.0

Release date: October 18, 2022

This CPU release is based on Azul Prime 22.08.1.0 and corresponds to the following OpenJDK versions:

Major Version	OpenJDK Version
8	8u351b01
11	11.0.16.1.101+3
13	13.0.12.0.101+2
15	15.0.8.0.101+2
17	17.0.4.1.101+2

What’s New

October 2022 CPU release security fixes.

CVE fixes

CVE #	Component	Protocol	Remote Exploit w/o Auth.	Base Score	Attack Vector	Attack Complex	Privileges Req’d	User Interact	Scope	Confiden-tiality	Integrity	Availability	Versions Affected	Notes
CVE-2022-21618	JGSS	Kerberos	Yes	5.3	Network	Low	None	None	Unchanged	None	Low	None	17, 15, 13, 11	Note 2
CVE-2022-21626	Security	HTTPS	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	15, 13, 11, 8	Note 2
CVE-2022-21628	Lightweight HTTP Server	HTTP	Yes	5.3	Network	Low	None	None	Unchanged	None	None	Low	17, 15, 13, 11, 8, 7	Note 1
CVE-2022-21619	Security	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 15, 13, 11, 8	Note 2
CVE-2022-21624	JNDI	Multiple	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 15, 13, 11, 8	Note 2
CVE-2022-39399	Networking	HTTP	Yes	3.7	Network	High	None	None	Unchanged	None	Low	None	17, 15, 13, 11	Note 1
CVE-2022-32215 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: Node (Node.js)	HTTPS	Yes	9.1	Network	Low	None	None	Unchanged	High	High	None	None
CVE-2022-21634 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: LLVM Interpreter	Multiple	Yes	7.5	Network	Low	None	None	Unchanged	None	None	High	None
CVE-2022-21597 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.	Oracle GraalVM Enterprise Edition: JavaScript	HTTP	Yes	5.3	Network	Low	None	None	Unchanged	Low	None	None	None

CVE #

Component

Protocol

Remote Exploit w/o Auth.

Base Score

Attack Vector

Attack Complex

Privileges Req’d

User Interact

Scope

Confiden-tiality

Integrity

Availability

Versions Affected

Notes

CVE-2022-21618

JGSS

Kerberos

Yes

5.3

Network

Low

None

Unchanged

None

Low

None

17, 15, 13, 11

Note 2

CVE-2022-21626

Security

HTTPS

Yes

5.3

Network

Low

None

Unchanged

None

Low

15, 13, 11, 8

Note 2

CVE-2022-21628

Lightweight HTTP Server

HTTP

Yes

5.3

Network

Low

None

Unchanged

None

Low

17, 15, 13, 11, 8, 7

Note 1

CVE-2022-21619

Security

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 15, 13, 11, 8

Note 2

CVE-2022-21624

JNDI

Multiple

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 15, 13, 11, 8

Note 2

CVE-2022-39399

Networking

HTTP

Yes

3.7

Network

High

None

Unchanged

None

Low

None

17, 15, 13, 11

Note 1

CVE-2022-32215 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: Node (Node.js)

HTTPS

Yes

9.1

Network

Low

None

Unchanged

High

None

CVE-2022-21634 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: LLVM Interpreter

Multiple

Yes

7.5

Network

Low

None

Unchanged

None

High

None

CVE-2022-21597 This CVE is not applicable to Azul Zing Builds of OpenJDK. It is listed here for comparison with other Java implementations which may contain this CVE.

Oracle GraalVM Enterprise Edition: JavaScript

HTTP

Yes

5.3

Network

Low

None

Unchanged

Low

None

Notes:

ID	Notes
1	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).
2	This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Notes

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.

Resolved Issues

There are no resolved issues associated with this release.

Known Issues

There are no new issues to report in this release.